How to Know If You've Been Hacked

By Roman Tuma, Director of IBM Security, Asia Pacific

Here’s a terrifying statistic – at least 1 billion records of Personally Identifiable Information (PII) were leaked in 2014. Hackers are becoming more sophisticated, so security experts need to be educated on the different ways attackers may enter their system. This knowledge is important as hackers lingering inside a network for longer periods of time will ultimately lead to a more serious data compromise.

So, what are the tell-tale signs that you may be the victim of a hack?

"Security experts must be proactive in the search for attackers instead of waiting for something to tell you that you’ve been breached."

Security experts must be proactive in the search for attackers instead of waiting for something to tell you that you’ve been breached. A recent IBM X-Force report took a look at the top indicators of compromise so you can spot them before a hacker is able to leverage vulnerabilities and steal valuable information.

Detailed below are the top indicators from the report that your network has been breached by an attacker that you should constantly be on the lookout for.

Unusual Outbound Network Traffic: While it’s tough to keep hackers out of networks, outbound patterns are easily detectable and can be a sign of malicious activity. With visibility into this traffic, you can respond quickly before data is lost or major damage is caused.

Anomalies in Privileged User Account Activity: Attackers often try to escalate privileges of a user account they’ve hacked. Monitoring privileged accounts for unusual activity not only opens a window on possible insider attacks, but can also reveal accounts that have been taken over by unauthorized sources. Keep an eye on systems accessed, type and volume of data accessed, and the time of the activity can give early warning of a possible breach.

Large Numbers Of Requests For The Same File: When a hacker finds a file they want – customer or employee information, credit card details, etc. – they will try to create multiple attacks focused it obtain it. Monitor for an amplified number of requests for a specific file.

Geographical Irregularities: It may seem obvious, but it’s important to track the geographic location of where employees are logging in from.

Database Extractions: Closely monitor and audit your databases to know where sensitive data resides, and to detect suspicious activity, unauthorized usage and unusual account activity. Watch closely for large amounts of data being extracted from databases, this can be a clear indicator that someone is attempting to obtain sensitive information.

Unexpected Patching of Systems: If one of your critical systems was patched without your initiation, it may be a sign of a compromise. While it seems strange that a hacker would repair vulnerability, it’s all about the value of the data to them, and keeping other interested criminals away from it. Once they get inside, they often try to add a patch to the vulnerability they used to gain access to the system so that other hackers cannot get in through the same vulnerability. If an unplanned patch appears, it’s worth investigating for a potential attack.

These are just a handful of the different indicators of compromise to keep on the radar. While the indicators of compromise always change and vulnerability requires unique responses, these top indicators are a solid start to understand what to watch out for in the fight against cyber crime.